8

My co-worker is being unsafe with his code and is allowing a user to upload an SQL file to be run on the server. He strips out any key words in the file such as "EXEC", "DROP", "UPDATE", "INSERT", "TRUNC"

I want to show him the error of his ways by exploiting his EXEC ( @sql )

My first attempt will be with 'EXEXECEC (N''SELECT ''You DRDROPOPped the ball Bob!'')'

But he might filter that all out in a loop.

Is there a way I can exploit my co-worker's code? Or is filtering out the key words enough?

Edit: I got him to check in his code. If the code contains a keyword he does not execute it. I'm still trying to figure out how to exploit this using the binary conversion.

Biff MaGriff
  • 8,102
  • 9
  • 61
  • 98
  • 1
    +1 For such an awesome question. We should exploit our co-workers more often. – Jordan Parmer Sep 16 '10 at 22:32
  • Just give us the `URL` and log the uploads! – Quassnoi Sep 16 '10 at 22:36
  • As for your first attempt: are you telling us your co-worker still tries to execute a piece of uploaded code *after* he found an `EXEC` there? – Quassnoi Sep 16 '10 at 22:41
  • I'm not sure exactly how he does it at the moment. He forgot to add the files with the validation to subversion :( so I can't check up on him. – Biff MaGriff Sep 16 '10 at 23:00
  • But yes, coders daft enough to think they get blacklist their way out of this situation quite often employ approaches like naïve stripping. – bobince Sep 16 '10 at 23:15

2 Answers2

5

  1. Tell your co-worker he's a moron.

  2. Do an obfuscated SQL query, something like:

    select @sql = 0x44524f5020426f627350616e7473

This will need some tweaking depending on what the rest of the code looks like, but the idea is to encode your code in hex and execute it (or rather, let it be executed). There are other ways to obfuscate code to be injected.

You've got a huge security hole there. And the funny part is, this is not even something that needs to be reinvented. The proper way to stop such things from happening is to create and use an account with the correct permissions (eg: can only perform select queries on tables x, y and z).

NullUserException
  • 83,810
  • 28
  • 209
  • 234
1

Have a look at ASCII Encoded/Binary attacks ...

should convince your friend he is doomed.. ;)

And here some help on how to encode the strings ..
Converting a String to HEX in SQL

Community
  • 1
  • 1
Gabriele Petrioli
  • 191,379
  • 34
  • 261
  • 317